From Investigator to Analyst - Modernizing Protective Intelligence

Picture the scene: a lone investigator in a dimly lit back office, hunched over a desk, scrolling through social media feeds. A whiteboard in the corner maps vague connections between names. The investigator squints at a printout of a threatening message. It's methodical, even dedicated, but it’s also obsolete.

This image, once emblematic of protective intelligence work, no longer meets the demands of the complex and interconnected threat landscape against which close protection teams must defend. The world has changed, and so too must our approach when it comes to defending our principals through intelligence-driven operations. Threats now emerge faster, from more diffuse sources, and often in ambiguous hybrid forms: social media manipulation, extremist ecosystems, disinformation campaigns, and AI-assisted targeting. The “lone wolf,” a moniker often used to describe certain attackers, still unfortunately describes how many organizations run their protective intelligence functions.

To modernize the protective intelligence space requires a paradigm shift in which the old framework of a siloed process advances into a proactive, integrated, analyst-driven capability that informs strategy as much as it supports operations. It must blend traditional investigative tradecraft with more forward-thinking endeavors, such as behavioral threat assessment, geopolitical analysis, and cutting-edge technology. And it must be embedded at the core of executive protection planning. While we have previously discussed the role of the “security centaur” and how technology will change the profession, it is now time to understand what  an intelligence-led ecosystem will do for the industry—anticipating threats, shaping decisions, and defending in time, not just space.

Evolving from Investigator to Analyst

Traditional protective intelligence has long centered on investigations: reviewing threat cases, compiling incident reports, and tracking persons of interest (POIs). This work remains essential in managing known risks and supporting law enforcement collaboration, but with dynamic, multi-domain threats, investigations alone are not enough. Protective intelligence must mature into something broader and more strategic by becoming analysis driven. Being analysis driven means that protective intelligence professionals will also be capable of seeing patterns where others see noise, identifying escalation indicators before violence erupts, and informing protection strategies before a crisis develops. This means shifting the center of gravity from documenting what happened to anticipating what could happen and using that foresight to drive smarter decisions.

To make this shift, the field must invest in analytic training and proper tradecraft, including developing generalists, utilizing cognitive diversity, understanding the modern threat environment, and operating at the cross section of multiple domains. Protective intelligence professionals need more than instinct and experience—they need tools: structured analytic techniques to reduce bias, threat modeling frameworks to evaluate risk systematically, red teaming to challenge assumptions, and scenario planning to map future contingencies. The next generation of protective intelligence will belong to those who can think critically, forecast confidently, and move from case files to context and from reaction to readiness.

Building the “T-Shaped” Intelligence Professional

The first step in modernizing protective intelligence will be deploying the T-shaped analyst—a professional with both broad interdisciplinary fluencies combined with deep domain expertise. This model reflects what modern threat environments demand. Someone who has developed a specialty in a needed area, but also someone who is an adaptive thinker who can bridge silos and operate across disciplines, applying novel areas of knowledge.

The top of the "T" represents a wide base of generalist knowledge. Protective intelligence analysts must increasingly understand geopolitics, digital threat ecosystems, behavioral psychology, crisis communications, and disinformation dynamics. Learning broadly in this context is not academic narcissism or being ostentatious. Interpreting ambiguous threat signals and advising decision-makers requires an ability to understand multiple domains that intersect in unique and idiosyncratic ways. For example, a speech by a CEO in Taiwan may carry a different risk profile in light of China’s domestic politics, just as a surge in social media noise in the United States might signal a brewing reputational attack, not just idle chatter. However, without the ability to assess subtle differences or changes in Chinese or American politics, an analyst cannot accurately determine potential threats and risks. This is why the top security strategists from Winston Churchill to Henry Kissinger to Andrew Marshall have drawn from multiple disciplines and dedicated themselves to being lifelong learners.

Importantly, the vertical stem of the "T" remains essential. Analysts should absolutely have deep knowledge in areas like protective security operations, OSINT tradecraft, HUMINT integration, and behavioral threat assessment (or any number of useful and practical areas). Analysts must know how to vet a threat actor, map digital and physical behaviors, and understand escalation pathways. They also need to work in close partnership with protection teams as force multipliers embedded in operational tempo.

But this is no longer enough either because of the ever-expanding threat domains. Protective intelligence professionals should also be technologically fluent, comfortable with tools and systems that power modern analysis. This includes understanding the basics of coding and scripting, using query languages to extract meaningful data, building or modifying dashboards and visualizations, and perhaps even knowing Bayesian statistics and multivariate data analysis. Essentially, the modern protective intelligence professional must be strategic in scope and tactical in depth, combining cognitive flexibility with technical precision. The more they cultivate these T-shaped skill sets, the more resilient protective intelligence systems will become.

The Power of Cognitive Diversity

The next step of modernization means embracing cognitive diversity because teams that think alike miss alike. Monocultures of thought are a liability. For example, protective intelligence draws heavily from law enforcement (more than any other background), and while these individuals have strong skillsets as investigators, they tend to have gone through the same socialization and training, meaning they share the same blind spots, groupthink, and analytical inertia. [See this Ontic article on the professional backgrounds of security managers and where a majority come from police and military.]

Therefore, modern protective intelligence demands cognitive diversity to ameliorate this problem. Diversity is a powerful tool for analysts because no one can fully strip away their identity and experiences to be purely objective, and a diverse team of analysts means they can point out and fill in the gaps that exist. As such, organizations need to recruit people who don’t look, think, or work alike but who can interrogate assumptions, challenge threat models, and see around the next corner. No single background is sufficient, particularly if teams are also serious about developing T-shaped intelligence professionals.

Cognitively diverse teams improve analytical coverage and decision-making under pressure. A journalist might bring strong interview skills and understanding the human story behind the threat. A regional expert can add cultural nuance to shifting political trends. An engineer-minded person could help automate tedious tasks and surface hidden signals. The result is a more resilient, adaptive, and anticipatory intelligence function, one that is better equipped to navigate complexity and avoid costly surprises.

Understanding the Modern Threat

Modern threats are multi-dimensional, and protective intelligence must evolve accordingly by moving beyond monitoring social media, sentiment analysis, and investigating POIs. The modern adversary might be a lone actor radicalized in a digital echo chamber or a well-resourced campaign targeting corporate reputation, infrastructure, or leadership. Either way, the threat rarely presents itself in isolation. It emerges from intersecting geopolitical tensions, technological vulnerabilities, and public perception battles.

Protective intelligence professionals must understand that threats live across layers. The same week an executive is doxed by online extremists, the company may face cyber probing linked to foreign threat actors, while also being targeted by activist campaigns on controversial political policy stances. These are the kind of connected pressures on a company’s leaders that close protection teams (informed by intelligence) help protect against. Again, this is where the T-shaped intelligence professional thrives because they can fuse disciplines. Analysts will need to understand geopolitics (e.g., U.S.-China tensions, proxy conflicts, ideological warfare), cyber and tech risks (e.g., spyware, location leakage, deepfakes, ransomware), and corporate exposure (e.g., regulatory retaliation, activist litigation, reputational targeting). Threats to executives are now less often individual malice or parasocial relationships, but they are more often these kinds of multi-domain issues.

Converging the Mission

The final aspect of modernizing protective intelligence is using the role as the primary area of cross-functional convergence to deal with the multi-domain threats as described above. As many people have experienced, multinational corporations (and many other organizations) allow their various teams to exist in silos. How many times is this lamented at security conferences? Well, a solution presents itself with the modernized protective intelligence team made up of diverse T-shaped analysts who can speak to those different functions.

Such teams will be able to assess interconnected risks and manage them across the enterprise. While protectors are doing the hard work of defending the principal, the protective intelligence analyst should be doing this kind of coordination behind the scenes, acting as the connective tissue between functions. That means working hand-in-hand with HR on insider threat indicators, IT on account compromise and social engineering, Legal on reputational exposure and litigation risk, Comms on narrative attacks and media manipulation, and of course, Security Operations on physical protection and access control. Each holds part of the threat picture. Only intelligence can synthesize it and provide mission convergence.

Final Thought

An attempt to modernize protective intelligence is primarily about moving beyond reactive checklists and toward a framework grounded in causal mechanisms, probability, and strategic forecasting. Notably, this means embracing the core principle of defending in time, not just in space. Traditional executive protection is built around proximity, barriers, and quick reaction, but when interconnected and asynchronous threats present themselves, distance and speed are no longer enough. The best protection happens hours, days, even weeks earlier, through effective intelligence. When the protector understands escalation pathways, adversary intent, and emerging risks before they manifest, he can disrupt a threat before it becomes apparent.

This may still fail, though, and protectors are absolutely needed in propinquity. Even in this context, protective intelligence should be about providing the protector with a decision advantage. That advantage comes from protective intelligence analysts asking the right questions before the crisis begins, spotting weak signals before they become patterns, and seeing connections others miss. They integrate behavioral insights, geopolitical awareness, cyber threat understanding, and operational knowledge into a single intelligence posture to give protectors the foresight they need.

Post Script: Because of the title of this newsletter, I found it interesting that a study concluded there was a positive (but weak) correlation between psychopathy and enjoying bitter flavors, especially the gin and tonic.